Schneider patches yet ANOTHER dumb vuln
Smart buildings, dumb vulns, does it ever change?
Schneider Electric has pushed out a patch to an industrial control system which – stop me if you've heard this before – passes credentials between client and server in plain text.
CVE-2015-3962 applies to the company's Struxureware Building Expert, prior to version 2.15, and the company has released an update to the system (outlined in its advisory, PDF here).
The vulnerable system handles air-conditioning, lighting, and metering.
The ICS-CERT advisory accompanying the vuln says it hasn't been exploited, which The Register would regard as astonishingly good fortune, since if someone obtained credentials and signed in using a valid admin user ID, how would anyone know?
Independent researcher Artyom Kurbatov, who discovered the original vulnerability, confirmed to ICS-CERT that the Schneider firmware fix resolved the issue. ®